Summer 2018 wiping student systems...

mconners
Valued Contributor

Hello Everyone,

The question I have is, what are others planning on doing to wipe or clear off drives for the coming summer? What workflow are using? Will you be imaging with NetBoot, will you be doing something else to wipe the drive and load the OS?

We currently use NetBoot/Jamf Imaging to erase the internal drive and we load the OS, that's it. nothing more. Once the computer restarts, we cache the installers and call up a policy to install all cached installers. This way, the network isn't taxed as much. It's worked pretty well with a few exceptions.

Just curious. We are ready for our spring semester, but I think our workflow will be changing and just looking for advice.

Thank you.

20 REPLIES 20

CasperSally
Valued Contributor II

@mconners

I'm disappointed that jamf doesn't seem to be supporting startOSinstall natively in some way. I'm testing an imagr/dep/depnotify workflow, it works, but it's a lot slower than imaging, so you have to plan accordingly.

With imaging, you could lay down an autodmg base image in ~2 minutes. With the new supported way to reload the OS (particularly to get the firmware updates and go from 10.12-->10.13), you have to use startOSinstall via netinstall/imagr or internet recovery, and just getting the OS on the workstation takes 25 minutes in my testing, plus the time to load the software you need.

Keep in mind, the new iMacs don't support network booting, so the above workflows are out (you may be able to restore via external drives). That may be a sign to come with all new hardware from apple. If they want to go that direction, they really should have released a snapshot solution, using caching servers, or even some way to more quickly load the OS via configurator (shudder). Internet recovery doesn't scale for schools/labs, etc.

I'm actively trying to have calls with Apple and jamf to seek out the best solution, but right now it's a lot of shrugging from everyone involved. Weeks ago when I had a call with Apple, they seemed shocked that just keeping everything updated all the time isn't possible in shared lab/cart environments where it's OS, apple applications, and dozens of vendor programs, so I encourage you to reach out to reps if you have them.

You also can check out @reddrop post here about using casper imaging - it would save you time if your computers were already 10.13, I think, but if they're 10.12, it's using the supported startOSinstall to upgrade the machine so still the same 20+ OS install.

This post goes into more detail about imagr/netinstall

mconners
Valued Contributor

Thanks @CasperSally for your reply. I think something is in the wings though but I don't know what it is. Working with Apple engineering on a remotely triggered NetBoot with Jamf imaging, I was told there is something happening before summer that should be helpful for us Apple SysAdmins. He didn't elaborate at all, but said there was something coming to make our lives a little better.

While that could be up for date at the time on whether or not it is better, I really don't like the fact that changes are made to Apple/their OS/their hardware without a lot of consultation at all with those of who are managing these things in the enterprise. With more and more devices ending up outside of the consumer, there needs to be better tools to effectively do our jobs.

That all being said; with all of us collectively communicating, we can find a path through the forest. Thank you all for your feedback. It is greatly appreciated.

CasperSally
Valued Contributor II

@mconnor interesting, I got a very different feeling when I talked to Apple that nothing was coming in time for summer refreshes. I added some links above that may be helpful for you.

I know jamf will eventually allow us to click a button via MDM and "update macOS" like you can with iOS - but that doesn't help us to get all the apps in the labs updated, nor does it help with the updating OS taking so long that it's not really practical to do in a cart environment most of the time.

CGundersen
Contributor III

Apple is digging a nice hole for themselves (with a number of institutions). Snapshot solution or bust imo.

georgecm12
Contributor III

@CasperSally Which Macs are you referring to that "don't support network booting"?

CasperSally
Valued Contributor II

@georgecm12 the new iMacs, and the thought is that may be a sign of what's to come with other new hardware

https://scriptingosx.com/2017/10/imaging-is-dead/

https://scriptingosx.com/2017/12/netinstall-is-dead-too/

georgecm12
Contributor III

Ah, the iMac Pros. While technically an iMac (it's got "iMac" in the name, after all), I guess I still consider those a separate product line from the iMac line.

But yes, you're right, it may be a sign of what's to come.

In any case, for me, I am waiting for two things to really make best use of DEP in labs/classrooms:

  1. a way to do the equivalent of a "erase all content and settings" remotely on a Mac (which could take the form of a "restore to baseline snapshot" with APFS drives), and
  2. a way to do a "fast forward" through the setup assistant, the way the AppleTV behaves with DEP, such that no interaction would be required at the client side, as long as the Mac has network connectivity and is assigned to an appropriately configured prestage enrollment.

If both were in place, a "reimage" of a lab would be a piece of cake. Send a "erase all content and settings" and let the client machine take it from there.

bradtchapman
Valued Contributor II

@CGundersen : I think we're all still discovering the best way to use the new snapshots feature of APFS. Currently, the only way to roll back the primary boot volume is from Recovery OS.

As to your other concern, the reason why this is getting harder is that Apple has been working for years to prevent tampering with the base OS, whether intentionally by a well-meaning IT department, or with malice by a nation-state actor looking for ways to compromise a user's machine. This drastically reduces the number of edge-case, off-the-wall support issues that would only be explained, after hours of intense diagnoses, by a low level hack. They're making it harder to install third party kernel extensions because they have led to system instability in the past. The app sandbox model prevents one application from reading another's contents without explicit permission from the user.

For institutions who must do high volume deployments, Apple would suggest buying a Mac mini as a caching server. At a recent tech conference, @gregneagle demonstrated a hidden set of parameters for Content Caching in High Sierra. If you go to System Preferences > Sharing pane, select Content Caching, and hold down the option key, you will see that the [Options] button turns into [Advanced Options]. From there, you can configure peering and caching parameters in a way that would be more comfortable for a systems administrator.

The Mac mini is another expense, but it reduces the need for additional Internet bandwidth since the OS restore will come from the local Mini. The package itself is encrypted so this guarantees that the OS hasn't been tampered with in any way. Internet Recovery / DEP takes about as many clicks as local NetBoot process, and it will use the local server if available.

CGundersen
Contributor III

Yeah, we have ~60 Mac Minis for caching. ~16,000 (Mac) clients. Good times. Apple can do much better ... my opinion of course. Thanks.

kwsenger
Contributor

@mconners

In the Milton School District we do the following:

  • Casper Imaging on two older MacBook Pros with two partitions. One is a replicated Casper Distribution Point, the other is the bootable partition.
  • Casper Imaging > TMI using a list of computer names based on serial number. This lays down a new OS and all the packages and scripts we need. Most scripts are running at reboot. We use an unmanaged switch with 20 cat 5 cables.

Once the TMI is complete we remove the Thunderbolt cable and insert a Thunderbolt Ethernet dongle and reboot.
Wait 5 minutes and the MacBook is now enrolled with a local admin user based on a Prestage. We can do a machine start to finish in about 10 minutes or so and have students run through an assembly process. We wipe about 250 Macbooks (Graduating Seniors) and 2500 iPads each summer.

We are right down the road from Madison College in Milton, WI.

bradtchapman
Valued Contributor II

@georgecm12 : You can bet that's coming in a future OS update. Apple's laying the groundwork with the APFS, the snapshot options, and the T2 secure boot chip in the iMac Pro. There will likely be an extension to MDM that tells Recovery OS to restore to a previous snapshot on reboot.

Making a prediction now... the laptops were just refreshed a few months ago with no significant changes. The next computer to get the T2 chip will be the upcoming Mac Pro, the Mac mini, and a smaller less-powerful iMac aimed at the education market. If Apple releases a new computer with T2, and then introduces the "Erase / Restore" feature in macOS 10.14 at WWDC, school districts will pounce on that for their summer 2019 upgrade projects. This will make Faronics very sad, of course, but it will reduce costs AND make a lot of admins very happy.

mconners
Valued Contributor

Thank you @kwsenger that is an interesting approach. I hadn't played a lot for TMI as we have remote campuses. My goal this coming summer is to be able to remotely control the process without physically touching each Mac. While a pipe dream, I am hopeful our workflow can be even more refined.

The challenge it sounds like for many of us is being able to "reset" the OS to a base Apple OS so we can begin managing the Mac and deploying apps and settings as we normally do. If we can work out this challenge to remotely wipe or reset a Mac, then the rest can be worked out.

jhuls
Contributor III

Just out of curiosity for these student systems do the students have admin privileges on them? If not, is there a reason not to just wipe out the user profiles and move on?

CasperSally
Valued Contributor II

@jhuls We wipe student local profiles regularly. The issue for us is not just updating macOS, but all the other software titles we support (that aren't in the app store). We have an adobe creative cloud subscription so many Adobe titles are installed on thousands of computers, plus all kinds of other software. Rather than update very piece of software, it at least used to be much quicker to nuke and pave with latest versions.

lynnaj
New Contributor III

To start the Fall 2018 semester off correctly, I will have about 350 macs to "nuke and Pave" all in, typically, less then 3 weeks. Currently, I am thinking that my workflow will be something like:

1) Copy the "Install High Sierra" upgrade to all machines
2) Run that upgrade remotely with a command like:

/Applications/Install macOS High Sierra.app/Contents/Resources/startosinstall –applicationpath “/Applications/Install macOS High Sierra.app” –nointeraction

This upgrade is supposed to take care of the needed firmware updates and the APFS conversions on the macs.
3) After the macs are APFS or not and have the correct firmware updates, then I plan to nuke and pave with JAMF Imaging and a very basic High Sierra image (an APFS image for APFS macs and a non-APFS image for those macs that are not APFS).
4) Finally apply the 150 GBs of software and many settings with our standard set of policies and configuration profiles.

Does this work flow make sense to people? Does anyone have suggestions for doing this a different way? Is anyone, for example, considering setting up a virtual environment on all their macs, with the primary Mac OS running on a virtual on the mac so they can "snapshot" back to a clean state whenever they feel the urge to to that ????

georgecm12
Contributor III
Is anyone, for example, considering setting up a virtual environment on all their macs, with the primary Mac OS running on a virtual on the mac so they can "snapshot" back to a clean state whenever they feel the urge to to that ????

There's no need to go virtual to get snapshotting - that's a feature built into APFS:

APFS Snapshots: How To Roll Back To a Previous Known State:
https://www.lifewire.com/roll-back-apfs-snapshots-4154969

CasperSally5432
New Contributor II

I've spoken with Apple and wouldn't expect customer facing snapshots to help with roll outs to 10.13 this summer (or restoring to 10.13 during next school year). It seemed like that was very much a (very) long term goal. Hope I'm wrong.

Asnyder
Contributor III

I drop a base image in about 30 seconds onto an SSD and then DEP takes over. This is for 10.12. After the 10.13 upgrade is done it is supposed to work with apfs as well. You just need an autodmg dmg.

https://apple.box.com/s/sx69b7cc19uplk8apcy4jfqgdhro2h93

Nix4Life
Valued Contributor

@georgecm12

do you know if the retention time for snapshots has changed? initially it was 24hrs ,then auto delete. I guess you could write a launch job that could touch it every 23hrs, but ain't nobody got time for that

georgecm12
Contributor III

@Nix4Life To be fair, I haven't actually used snapshots in APFS. I just knew based on reading that article that APFS had snapshotting built-in. I was not aware that the snapshots have a built-in expiry.